Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-11-2007, 07:01 AM
|
#1
|
LQ Newbie
Registered: Apr 2007
Posts: 11
Rep:
|
How to activate FAIL_DELAY in /etc/login.defs
Hi all,
My kernel is 2.2.17/ppc and I want to activate FAIL_DELAY in /etc/login.defs. However, when I edited /etc/login.defs for FAIL_DELAY with a value of 60, it did not work. Do I need to use pam_faildelay.so? "login" in my system is under /etc/pam.d.
Can one help me how to activate FAIL_DELAY?
Regards,
kursat
|
|
|
05-12-2007, 12:33 AM
|
#2
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Are you trying to delay local logins or SSH? SSH logins do not go through the 'login' process, so I believe login.defs is not involved.
|
|
|
05-14-2007, 01:35 AM
|
#3
|
LQ Newbie
Registered: Apr 2007
Posts: 11
Original Poster
Rep:
|
Quote:
Originally Posted by Matir
Are you trying to delay local logins or SSH? SSH logins do not go through the 'login' process, so I believe login.defs is not involved.
|
Thanks for the reply,
I'm not that much familiar, but my concern is about all login attempts. So, you say login.defs does not apply for ssh. So, I think I need it for local login attempts.
|
|
|
05-14-2007, 01:40 AM
|
#4
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
Ok... local login would only be someone with physical access (or possibly telnet, but that's not used much)
|
|
|
05-14-2007, 02:33 AM
|
#5
|
LQ Newbie
Registered: Apr 2007
Posts: 11
Original Poster
Rep:
|
Quote:
Originally Posted by Matir
Ok... local login would only be someone with physical access (or possibly telnet, but that's not used much)
|
If local login is not much used, how can I delay ssh attempts for ssh? You told it's not using /etc/login.defs, right?
|
|
|
05-14-2007, 03:40 AM
|
#6
|
LQ Veteran
Registered: Sep 2003
Posts: 10,532
|
Hi,
It's an option that's found int your /etc/sshd_config file.
Add (or adjust) the following option: AuthInteractiveFailureTimeout <number>
Take a look at man sshd_config for all the available options.
Hope this helps.
|
|
|
05-14-2007, 03:53 AM
|
#7
|
LQ Newbie
Registered: Apr 2007
Posts: 11
Original Poster
Rep:
|
Quote:
Originally Posted by druuna
Hi,
It's an option that's found int your /etc/sshd_config file.
Add (or adjust) the following option: AuthInteractiveFailureTimeout <number>
Take a look at man sshd_config for all the available options.
Hope this helps.
|
Thank you for the ssh option. However I tried it and had below errors while starting sshd.
/etc/init.d/sshd start
Starting sshd: /etc/ssh/sshd_config: line 94: Bad configuration option: AuthInteractiveFailureTimeout
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]
sshd: sshd startup failed
My ssh version:
ssh -V
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
Thank you. I will check man sshd for available option. Maybe my sshd is too old.
|
|
|
05-14-2007, 04:35 AM
|
#8
|
LQ Veteran
Registered: Sep 2003
Posts: 10,532
|
Hi,
My bad.....
AuthInteractiveFailureTimeout is not an option that openSSH supports (I'm working with too many *nix systems ).
I'm unable to find an option like the one I gave in openSSH. You could try a combination of ChallengeResponseAuthentication yes (the default) and the login-backoff option in the /etc/login.conf (man login.conf for details). I haven't tried this before.
Sorry for the misinformation.....
|
|
|
05-14-2007, 09:27 AM
|
#9
|
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507
Rep:
|
If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.
Code:
auth optional pam_faildelay.so
|
|
|
05-15-2007, 01:47 AM
|
#10
|
LQ Newbie
Registered: Apr 2007
Posts: 11
Original Poster
Rep:
|
Quote:
Originally Posted by Matir
If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.
Code:
auth optional pam_faildelay.so
|
Thank you for the comment. Yes, my sshd is pam controlled. I will try above line in /etc/pam.d/sshd. I did not see this module in my pam.rpm. This is a recent update I guess. Hope my GLIBC will allow to use it
|
|
|
All times are GMT -5. The time now is 10:29 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|